|
Hello,
On Tue, 22 May 2001, Peter Mueller wrote:
> > 1. tcpdump -len host 64.211.248.11
>
> This is one request for the VIP
> {{{{ From real server #1, only server in loop currently to simplify analysis
> }}}}
> [root@fe4026 fea]# /usr/sbin/tcpdump -len host 64.211.248.11
> Kernel filter, protocol ALL, datagram packet socket
> tcpdump: listening on all devices
> 10:33:11.341911 eth1 < 0:d0:b7:a9:c1:bc 0:0:0:0:0:1 ip 62:
> 208.177.165.227.64395 > 64.211.248.11.www: S 2833366593:2833366593(0) win
> 16384 <mss 1460,nop,nop,sackOK> (DF)
> 10:33:14.236010 eth1 < 0:d0:b7:a9:c1:bc 0:0:0:0:0:1 ip 62:
> 208.177.165.227.64395 > 64.211.248.11.www: S 2833366593:2833366593(0) win
> 16384 <mss 1460,nop,nop,sackOK> (DF)
> 10:33:20.246000 eth1 < 0:d0:b7:a9:c1:bc 0:0:0:0:0:1 ip 62:
> 208.177.165.227.64395 > 64.211.248.11.www: S 2833366593:2833366593(0) win
> 16384 <mss 1460,nop,nop,sackOK> (DF)
I see the requests come to the real server. Right?
I think, something is changed in your setup. In the above
trace it seems your real server drops the requests without even
replying/forwarding them. This can be caused from rp_filter protection
on the incoming device. May be your default gateway is not through
eth1 and eth1/rp_filter=1. There are no many cases where packets can
disappear in the real server without any good/bad reply. The other
case is if you drop them in eth1 via ipchains rule.
But I can't understand how an ACCEPT rule will make loops.
Loops are possible only when the RS forwards the requests instead of
accepting them. In which host the policy is changed between ACCEPT
and DENY?
Some rules:
always echo 1 > /proc/sys/net/ipv4/route/flush
when you play with some device flags (of course not all need this
flush but ... may be you don't know it)
For the test set /proc/sys/net/ipv4/conf/*/rp_filter to
0 and ipchains policy to ACCEPT. And after successful operation start
to play with them again.
Make sure -j REDIRECT are before any ACCEPT rules, i.e.
use:
-A input -j ACCEPT
and
-I input -j REDIRECT
to avoid such problems. I think, you go into problems when
playing by hand with some ipchains rules. Check their order.
REDIRECT before ACCEPT!
Create scripts that when executed they init the chains and
all settings before applying your new settings. There are ipchains
commands that can reset everything. By this way you can tune your
setup and to apply it again after changes.
> thanks,
>
> Peter
Regards
--
Julian Anastasov <ja@xxxxxx>
|
